Timestamping a Hash: Proving When a File Existed

Introduction: WHAT vs WHEN

A cryptographic hash is brilliant at one thing: proving what a file is. Run a file through a hash function and you get a short, unique fingerprint; if a single byte changes, the fingerprint changes completely. That is how a hash proves a file is unaltered. But a hash says nothing about when the file existed. For priority disputes, evidence, contracts and audits, the timing question is often the one that matters most. This is where timestamping a hash comes in: a hash proves WHAT, and a trusted timestamp proves WHEN. Pair the two and you can show, to a neutral verifier, that a specific file existed at a specific moment. You can produce the fingerprint side of that pair in seconds with e-Dex (formerly Hash Calculator).

The Problem: A Hash Alone Does Not Prove Time

Here is the gap most people miss. A hash proves a file has not changed, but it carries no reliable date of its own. The "modified" date you see in a file's properties comes from your computer's local clock, and a local clock is not trustworthy evidence. It can be wrong, it can drift, and it can be deliberately set to any value — backdated or forward-dated — in seconds. If you simply write down "I hashed this file on the 1st," you are asking everyone to take your word for the date. In any dispute, the other side will rightly point out that you could have set your clock to anything. A self-recorded time is not independent proof. To prove WHEN a file existed, the time has to be attested by someone who has no stake in your claim.

Trusted Timestamps: Bringing in a Neutral Witness

A trusted timestamp solves this by introducing an independent party called a Time-Stamping Authority (TSA). The TSA acts as a neutral witness with a verified, reliable clock. You hand it your file's hash; it combines that hash with its own trusted time and signs the pair with its private key. The result is a signed token that says, in effect, "I, the authority, confirm that this exact hash was presented to me at this exact time." Because the authority is independent and the token is cryptographically signed, you can later prove your data existed at that moment — and crucially, you do this without revealing the data itself. The confidentiality follows naturally from the fact that you only ever send the hash, never the file.

How It Works at a High Level

The mechanics are defined by an open internet standard, RFC 3161, so any compliant tool and any compliant authority interoperate. The flow is simple. First, you compute the hash of your file locally. Second, you send only that hash to an RFC-3161 Time-Stamping Authority. Third, the TSA adds its trusted time, signs the combination, and returns a signed timestamp token. That token — a small file you keep alongside your evidence — is your portable, verifiable proof of time. Note what never travels across the network: your actual document. The authority signs a fingerprint it cannot reverse, so a secret contract or unpublished invention stays secret while still gaining a provable date.

Where Timestamping a Hash Matters

Intellectual property and priority. Inventors, designers and authors timestamp the hash of a draft, design file or manuscript to establish that the work existed on a given date — useful when priority is later contested. Digital evidence. Investigators and forensic teams stamp the hash of a seized file or report so the collection time is anchored to an independent authority rather than a workstation clock. Contracts and agreements. Parties timestamp a signed document to fix the moment it was finalised, deterring later backdating claims. Audit and compliance. Teams stamp the hashes of logs, ledgers and deliverables so a regulator can confirm a record existed before a cut-off date. In every case the principle is identical: the hash proves the content, the timestamp proves the time.

Verifying a Timestamp Later

The value of a timestamp is realised months or years later, when someone needs to check it. Verification is a clean, repeatable process. You recompute the file's hash today, confirm it matches the hash recorded inside the signed timestamp token, and then validate the Time-Stamping Authority's signature on that token. If the recomputed hash matches and the signature is valid, the token proves the file existed, unchanged, at the stamped time — full stop. Nothing about this depends on your own clock or your own word. You can recompute the underlying fingerprint with e-Dex's hash tool and confirm signed certificates through the online certificate verifier.

How This Fits the Bigger Picture

Timestamping rarely stands alone. It pairs naturally with a signature, so that one document proves what, who and when together. Our companion guide on how to sign and timestamp a forensic certificate with PAdES and RFC 3161 walks through combining a digital signature with a trusted timestamp on a single certificate. To see how the integrity and timing pieces come together into a defensible record, explore the Digital Evidence Integrity Suite. The timestamp is the layer that answers WHEN; everything else builds around it.

Frequently Asked Questions

What does timestamping a hash actually prove?
Timestamping a hash proves that the data behind that hash existed at or before a specific moment in time. The hash is the fingerprint of your file, and the trusted timestamp binds that fingerprint to a verified time. Together they let you later show that this exact file existed at that moment, without proving who created it or what it contains. It answers the question of WHEN, in the same way a hash answers the question of WHAT.

Why is a hash alone not enough to prove when a file existed?
A hash only proves that a file is unchanged; it carries no reliable date. The modified date shown by your operating system comes from the local clock, which can be wrong, drift, or be deliberately changed. Anyone can set a computer's clock to any value, so a self-recorded timestamp is not independent evidence. To prove WHEN a file existed you need a time attested by a neutral third party, which is exactly what a trusted timestamp provides.

Does timestamping a hash reveal the contents of my file?
No. You only ever send the hash, never the file. A hash is a one-way fingerprint, so the Time-Stamping Authority can sign it without ever seeing or being able to reconstruct your data. This keeps confidential documents, source code or evidence private while still letting you prove later that the data existed at the stamped time.

What is an RFC-3161 Time-Stamping Authority?
RFC 3161 is the internet standard that defines how a Time-Stamping Authority (TSA) issues trusted timestamps. You send a request containing your file's hash; the TSA combines that hash with its own trusted clock time, signs the pair with its private key and returns a signed timestamp token. Because the token is digitally signed by an independent authority, anyone can later verify that the hash existed at the stated time.

How do I verify a timestamp later?
To verify, you recompute the file's hash, check that it matches the hash inside the signed timestamp token, and validate the Time-Stamping Authority's signature on the token. If the hash matches and the signature is valid, the token proves the file existed unchanged at the stamped time. e-Dex can produce the hash and verify integrity certificates so this check can be repeated months or years later.

Conclusion

A hash answers what; a trusted timestamp answers when. On their own, neither is the whole story — but together they let you prove that a specific file existed at a specific moment, to a neutral verifier, without ever exposing the file's contents. That is the quiet power of timestamping a hash, and it underpins everything from intellectual-property priority to court-ready evidence. e-Dex lets you generate the hashes and produce signed, timestamped integrity certificates on your own machine. Try the e-Dex hash tool and start anchoring your files to a time you can prove.